If you process personal data on behalf of clients — or if a vendor processes yours — you need a DPA. It's a GDPR requirement, not optional. Generate one free.
No paywalls. No subscriptions. Just the legal document your vendor contracts require.
The GDPR literally requires a written contract between controllers and processors. Not a handshake, not an email chain — a documented DPA. Every vendor who touches your customer data needs one. No exceptions.
A good DPA is equally important for the processor as the controller. It defines what you're allowed to do with the data, protects you from overreach claims, and sets clear boundaries if something goes wrong.
If you're selling to mid-market or enterprise clients in the EU, their legal teams will ask for a DPA before they sign. Not having one ready costs deals. Having one ready costs nothing.
The specifics you need to understand before generating your agreement.
Let's start with the basics. Under GDPR, there are two roles that matter for data processing. The data controller is the organization that decides why and how personal data is processed. That's usually you — the company that collected user data to provide a service. The data processor is a third party that processes personal data on your behalf according to your instructions. Think your email marketing platform, your analytics provider, your cloud hosting company, your payment processor.
The moment you hand customer data to any of these vendors, GDPR Article 28 kicks in. And it requires a written contract. Not an email. Not a checkbox in their terms of service. A specific, documented agreement that covers seven mandatory elements.
What happens when you don't have one? In 2022, France's data protection authority CNIL fined Google €150 million. Part of that enforcement action related to how Google processed data as a processor for other businesses without properly documented agreements. The fine wasn't just about cookies. It was about the entire structure of the data relationship not being properly formalized.
Then there's the sub-processor chain. This is where it gets interesting. When you use a CRM like HubSpot, HubSpot is your processor. But HubSpot uses Amazon Web Services to store data. AWS is a sub-processor. Under Article 28(2), your DPA must either specifically authorize these sub-processors or set up a general authorization process with notification requirements. If HubSpot adds a new sub-processor without telling you, and your DPA doesn't address this, you're both potentially exposed.
Cross-border transfers got a lot more complicated after the Court of Justice of the European Union's Schrems II ruling in July 2020. The ruling invalidated the EU-US Privacy Shield. That meant thousands of businesses were suddenly transferring data to the US without a valid legal mechanism. The replacement is Standard Contractual Clauses (SCCs), which are pre-approved contract templates issued by the European Commission. Your DPA should reference these if you're working with non-EU processors.
The 72-hour breach notification requirement is another non-negotiable. Under GDPR Article 33, you have 72 hours from becoming aware of a personal data breach to notify your supervisory authority. But here's the thing — if the breach happens at your processor's end, they're the ones who'll find out first. Your DPA needs to require them to notify you promptly so you can meet your own deadline. "Promptly" should be defined. Our generator specifies 24 hours from the processor's discovery of the breach.
And audit rights. Many companies skip this because it feels theoretical — you're never actually going to audit Stripe. But including audit rights (or at minimum, the right to receive audit reports and certifications) gives you leverage and demonstrates accountability. For processors serving regulated industries like healthcare or finance, documented audit rights are non-negotiable.
The Swedish data protection authority fined a hospital for using a vendor without a valid DPA, even though no breach occurred. The Austrian DPA found that using Google Analytics without proper processor agreements violated GDPR. The Irish DPC investigated companies specifically for missing or inadequate DPAs with their SaaS vendors. This isn't theoretical risk. It's the kind of thing that shows up in routine audits.
For special category data (health records, biometric data, religious beliefs, political opinions), the requirements are even stricter. Article 9 of GDPR imposes additional conditions on processing this data. Your DPA should explicitly acknowledge the data categories involved and the specific security measures that apply to them. Health data in particular requires explicit consent or one of the narrow exemptions, and your processor needs to be bound to these restrictions contractually.
The bottom line is this. If you're a SaaS company, an agency, a startup, or any business that uses software to store or process customer data, you need DPAs with your vendors. And if you process data on behalf of clients, they need DPAs with you. Our generator creates both sides of this equation. Fill in the form, generate, download. Done.
Every clause your legal team would include. All of them. For free.
Full identification of both the data controller and data processor, including registered addresses, contact details, and legal representatives.
Clear definition of what the processing covers, the term of the agreement, and what happens to data when the agreement ends.
Specific description of what the processor does with the data and for what purposes, ensuring processing stays within authorized boundaries.
Inventory of the types of personal data being processed and the categories of individuals whose data is included (customers, employees, users).
What the data controller commits to: providing lawful instructions, ensuring data subjects have been informed, and maintaining appropriate records.
Confidentiality requirements, staff training obligations, security implementation requirements, and the duty to follow controller instructions only.
Framework for approving sub-processors, notification requirements when sub-processors change, and flow-down obligations to ensure the sub-processor is equally bound.
Technical and organizational security measures as required by GDPR Article 32, including encryption, access controls, and incident response capabilities.
Processor's obligation to notify the controller within 24 hours of discovering a breach, with the information required under Article 33(3) of GDPR.
Clear process for returning or securely deleting all personal data at contract termination, with written certification that deletion has occurred.
Everything you need to know about Data Processing Agreements
What you'd pay a law firm or paid service versus what you get here for free.
| Feature | FreeTOS | Paid DPA Service | Law Firm Template |
|---|---|---|---|
| Price | Free | $15/mo+ | $300+ |
| Signup Required | No | Yes | Yes |
| Article 28 Compliance | Full | Full | Full |
| SCCs Included | Yes | Paid tier | Separate doc |
| PDF Download | Free | Paid plan | Included |
| Customization | AI-tailored | Template-based | Manual edit |
| Instant Generation | Yes | Yes | Days/weeks |
Three common scenarios where your DPA gets used and how to handle each one.